Twitter公式クライアントのコンシューマキー
Twitter for iPhone
Consumer key: IQKbtAYlXLripLGPWd0HUA
Consumer secret: GgDYlkSvaPxGxC4X8liwpUoqKwwr3lCADbz8A7ADU
Twitter for Android
Consumer key: 3nVuSoBZnx6U4vzUxf5w
Consumer secret: Bcs59EFbbsdF6Sl9Ng71smgStWEGwXXKSjYvPVt7qys
Twitter for Google TV
Consumer key: iAtYJ4HpUVfIUoNnif1DA
Consumer secret: 172fOpzuZoYzNYaU3mMYvE8m8MEyLbztOdbrUolU
Twitter for iPad
Consumer key: CjulERsDeqhhjSme66ECg
Consumer secret: IQWdVyqFxghAtURHGeGiWAsmCAGmdW3WmbEx6Hck
Twitter for Mac
Consumer key: 3rJOl1ODzm9yZy63FACdg
Consumer secret: 5jPoQ5kQvMJFDYRNE8bQ4rHuds4xJqhvgNJM4awaE8
Twitter for Windows Phone
Consumer key: yN3DUNVO0Me63IAQdhTfCA
Consumer secret: c768oTKdzAjIYCmpSNIdZbGaG0t6rOhSFQP0S5uC79g
TweetDeck
Consumer key: yT577ApRtZw51q4NPMPPOQ
Consumer secret: 3neq3XqN5fO3obqwZoajavGFCUrC42ZfbrLXy5sCv8
But what does it all mean, Basil?
@wedtm these are the username/password that application itself uses to authenticate with Twitter. These are supposed to be private, atleast the secret.
This means that anyone can now write apps that look like official apps to twitter.
@medecau Not quite, you have to store callback urls with your app, and the tokens are only handed to that url, so unless you gain control of the domains or the account that registered the apps it won't work.
That's not entirely true thilo.
I can only speak for normal people creating their own applications - as Twitter may have put more restrictions in for their own apps, but the oauth_callback parameter overrides any callback parameter configured for the applications, so you can redirect it to whatever URL you like.
@thilo As far as I know only Facebook has that kind of domain restriction in place. Using the oauth_callback parameter to override the callback url should work just fine.
Don't forget that Twitter (for iPad/iOS, at least) have XAuth support, which doesn't require going to the webpage. This means anyone can, now, write a desktop app that can't be banned ('cause it will identify itself as "Twitter for iPad/iOS") that doesn't require going all the way through the authorization page.
I've just tested with localhost:3000, the oauth_callback parameter definitely does not matter. Also, the applications are set up as "Desktop" applications, meaning they require out-of-band tokens (including the iPhone/Android/Windows Phone). A test script: https://gist.github.com/tcr/5108489
You also need to specify callback in the application management tool on twitter for the newer apps. regardless of what you set in your code It doesn't work otherwise
They had it coming.
Lets be honest. They only need to send out a version bump for twitter clients and expire these tokens and force you to update. It won't give you god like powers ... At least for long.
@JonLundy, no but if they have to bump versions everytime someone breaks these keys... then they have a big headache in their hands.
They cannot reasonably upgrade 100s of millions of dumb featurephones that may have those keys embedded in them. I'd say they're hosed if that's true
And so the cat and mouse game begins. If twitter bans a token, then all clients stop working, and thus legitimate users will be irate. This will be a good show.
Hopefully Falcon Pro throws the first stone.
@dlikhten Doing that will I am sure earn Falcon Pro a lifetime ban, all their users would be rendered useless.
Why am I surprised that @tcr is one of the first the get on this train?
Has anyone been able to verify these codes are genuine?
seems like this gist was revised 5 months ago
@tomasmcguinness the Windows Phone one certainly is. I just used it to tweet from the "t" Ruby client on my Mac.
@brh, it surely will... but then again.. how will they ban Falcon Pro if they are using someone else's keys :P
You people know that those apps are mobile apps? Most of them use pseudo callback URLs and parse the servers redirect for the auth token. So even if twitter enforces matching callback URLs that will not solve the problem here when the 3rd party Apps impersonate the official apps.
They are genuine, I verified the Twitter for Android and the TweetDeck keys personally.
it works.. awesome.. ^_^
And with no rate limiting as far as I can see...
Lesson #1 in business, don't piss off the nerds.
ghuntley++;
These keys are just embedded in the apps, no? Is there a way to store these keys securely? Or maybe there's a different way to do auth?